CLAIMS 

What is claimed is: 

1 LA method for filtering packets, wherein a flow corresponds to a stream of 

2 packets for a particular communication session, comprising: 

3 identifying a protocol used to transmit a packet; 

4 identifying the flow to which the packet belongs; 

5 determining whether a rules table exists for the protocol; 

6 determining, if the rules table exists, whether a state table includes a matching 

7 flow entry corresponding to the flow; 

8 determining, if the state table includes the matching flow entry, whether a state of 

9 the flow will transition from a current state indicated in the matching flow entry to a valid 

10 destination state indicated in a state-transition rule in the rules table; and 

1 1 discarding the packet, if the state of the flow will not transition to the valid 

12 destination state. 
1 

1 2. The method of claim 1, wherein the protocol comprises a protocol whose 

2 operation is capable of being defined by a finite state machine. 
1 

1 3. The method of claim 2, wherein the protocol comprises one of the 

2 following: File Transfer Protocol, Telnet, Hypertext Transfer Protocol, H.323, Real Time 

3 Transport Protocol/Real Time Control Protocol and Secure Shell Protocol, 
l 
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1 4. The method of claim 1, further comprising discarding the packet, if no 

2 rules table exists for the protocol, 
l 

1 5. The method of claim 1 , further comprising transmitting the packet if no 

2 rules table exists for the protocol. 
1 

1 6. The method of claim 1 , further comprising transmitting the packet if the 

2 flow will transition to the valid destination state. 
1 

1 7. The method of claim 1 , further comprising: 

2 determining whether the flow causes a skip count to be reached, wherein the skip 

3 count indicates a flow to examine after skipping a number of flows; 

4 examining the flow, if the flow causes the skip count to be reached; 

5 resetting the skip count, if the flow is examined; 

6 skipping the flow, if the flow fails to cause the skip count to be reached; and 

7 incrementing the skip count, if the flow is skipped. 
1 

1 8. The method of claim 7, further comprising: 

2 determining that a number of actual flows fails to exceed a preset threshold of 

3 flows; and 

4 examining flows based on the skip count, as a result of the number of actual flows 

5 failing to exceed the preset threshold. 
1 
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1 9. The method of claim 7, further comprising: 

2 determining that a number of actual flows exceeds a preset threshold of flows; 

3 determining a number of preset steps by which the number of actual flows 

4 exceeds the preset threshold; 

5 multiplying the number of preset steps by a preset skip-count modifier; and 

6 changing the skip count to a different skip count equal to the product of the preset 

7 number of steps and the preset skip-count modifier. 
1 

1 10. The method of claim 1 , wherein determining whether the state table 

2 includes the matching flow entry comprises: 

3 performing a hashing function based, at least in part, on values in the packet; 

4 determining whether a flow entry matches a result of the hashing function; 

5 determining, if the flow entry matches the result, whether the packet values 

6 hashed to generate the result match values used to generate the flow entry; and 

7 determining, if the packet values match the values used to generate the flow entry, 

8 that the flow entry is the matching flow entry. 
1 

1 11. The method of claim 1 0, further comprising: 

2 performing one or more additional hashing functions according to a number 

3 related to a skip count, if no flow entry matches the result of the hashing function, 

4 wherein the skip count indicates a flow to examine after skipping a number of flows; and 
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5 performing the one or more additional hashing functions according to the number 

6 related to the skip count, if the flow entry matches the result of the hashing function, but 

7 the packet values fail to match the values used to generate the flow entry. 
1 

1 12. The method of claim 11, wherein performing the one or more additional 

2 hashing functions according to the number related to the skip count comprises: 

3 performing a preset minimum number of additional hashing functions, if the skip 

4 count comprises a first value; 

5 performing an increased number of additional hashing functions, if the skip count 

6 is increased, wherein the increased number of additional hashing functions is greater than 

7 the preset minimum number of additional hashing functions, but less than a preset 

8 maximum number of additional hashing functions; and 

9 performing the preset maximum number of additional hashing functions, when 

10 the increased number of additional hashing functions reaches the preset maximum 

1 1 number of additional hashing functions. 
1 

1 13. The method of claim 10, further comprising: 

2 identifying, if the state table fails to include the matching flow entry, a set of one 

3 or more state-transition rules having an indication to create an additional flow entry; 

4 determining whether the packet includes a transition pattern indicated in a state- 

5 transition rule in the set, wherein the transition pattern indicates that the additional flow 

6 entry is to be created; 

7 creating the additional flow entry, if the packet includes the transition pattern; and 
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8 discarding the packet, if the packet fails to include the transition pattern, 

l 

1 14. The method of claim 1, wherein determining whether the state of the flow 

2 will transition to the valid destination state comprises: 

3 performing an operation using the current state and combined source states 

4 indicated in a state-transition rule; 

5 determining whether the current state matches a result of the operation; 

6 determining, if the current state matches the result of the operation, that the 

7 combined source states include the current state; 

8 determining, as a result of the combined source states including the current state, 

9 whether the packet includes a transition pattern indicated in the state-transition rule; and 
10 determining, if the packet includes the transition pattern, that the state of the flow 



1 1 will transition from the current state to the valid destination state in the state-transition 

12 rule in the set. 
1 



1 15. The method of claim 14, wherein the operation comprises an AND 

2 operation. 
1 

1 16. The method of claim 14, further comprising: 

2 identifying in the state-transition rule, if the state of the flow will transition to the 

3 valid destination state, a source state-destination state pair that includes the current state; 

4 and 
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5 replacing the current state with the destination state indicated in the source state- 

6 destination state pair. 
1 

1 17. The method of claim 16, further comprising: 

2 determining whether the source state-destination state pair includes an evict 

3 indication; and 

4 evicting the matching flow entry, if the source state-destination state pair includes 

5 the evict indication, 
l 

1 18. The method of claim 14, further comprising 

2 discarding the packet, if the packet fails to include the transition pattern included 



3 in a plurality of state-transition rules whose combined source states include the current 

4 state, 
l 



1 1 9. The method of claim 1 , wherein discarding the packet comprises: 

2 determining whether the packet causes a predetermined number of packets 

3 associated with invalid transitions to be reached; and 

4 discarding the packet, if the packet causes the predetermined number to be 

5 reached, 
l 

1 20. An apparatus comprising: 

2 a classifier, to identify a protocol used to transmit a packet and identify a stream 

3 of packets to which the packet belongs, wherein the stream of packets comprises a flow; 
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4 one or more rules tables that include one or more state-transition rules; 

5 one or more state tables for the protocol that include one or more flow entries and 

6 values used to generate the flow entries; and 

7 a rules engine, to determine whether a rules table exists for the protocol, 



8 determine, if the rules table exists, whether the state table includes a matching flow entry 

9 corresponding to the flow, determine, if the state table includes the matching flow entry, 

10 whether the flow will transition from a current state to a valid destination state indicated 

11 in a state-transition rule, and discard the packet, if the flow will not transition to the valid 

12 destination state, 
l 

1 21. The apparatus of claim 20, wherein the rules engine determines whether 

2 the state table includes the matching flow entry by performing a hashing function based, 

3 at least in part, on values in the packet, determining whether a flow entry matches a result 

4 of the hashing function, determining, if the flow entry matches the result, whether the 

5 packet values hashed to generate the result match values used to generate the flow entry, 

6 and determining, if the packet values match the values used to generate the flow entry, 

7 that the flow entry is the matching flow entry. 
1 



1 22. The apparatus of claim 20, wherein the rules engine determines whether 

2 the state of the flow will transition to the valid destination state by performing an 

3 operation using the current state and combined source states indicated in a state-transition 

4 rule, determining whether the current state matches a result of the operation, determining, 

5 if the current state matches the result of the operation, that the combined source states 
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6 include the current state, determining, as a result of the combined source states including 

7 the current state, whether the packet includes a transition pattern indicated in the state- 

8 transition rule, and determining, if the packet includes the transition pattern, that the state 

9 of the flow will transition from the current state to the valid destination state in the state- 
10 transition rule in the set. 

1 



1 23. An article of manufacture comprising: 

2 a machine-accessible medium including thereon sequences of instructions that, 

3 when executed, cause an electronic system to: 

4 identify a protocol used to transmit a packet; 

5 identify the flow to which the packet belongs; 

6 determine whether a rules table exists for the protocol; 

7 determine, if the rules table exists, whether a state table includes a matching flow 

8 entry corresponding to the flow; 

9 determine, if the state table includes the matching flow entry, whether a state of 

10 the flow will transition from a current state indicated in the matching flow entry to a valid 

1 1 destination state indicated in a state-transition rule in the rules table; and 

12 discard the packet, if the state of the flow will not transition to the valid 

13 destination state. 
1 

1 24. The article of manufacture of claim 23, wherein the machine-accessible 

2 medium further comprises sequences of instructions that, when executed, cause the 

3 electronic system to: 
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4 determine whether the flow causes a skip count to be reached, wherein the skip 

5 count indicates a flow to examine after skipping a number of flows; 

6 examine the flow, if the flow causes the skip count to be reached; 

7 reset the skip count, if the flow is examined; 

8 skip the flow, if the flow fails to cause the skip count to be reached; and 

9 increment the skip count, if the flow is skipped. 
1 

1 25. The article of manufacture of claim 24, wherein the machine-accessible 

2 medium further comprises sequences of instructions that, when executed, cause the 

3 electronic system to: 

4 determine that a number of actual flows fails to exceed a preset threshold of 

5 flows; and 

6 examine flows based on the skip count, as a result of the number of actual flows 

7 failing to exceed the preset threshold, 
l 

1 26. The article of manufacture of claim 24, wherein the machine-accessible 

2 medium further comprises sequences of instructions that, when executed, cause the 

3 electronic system to: 

1 determining that a number of actual flows exceeds a preset threshold of flows; 

2 determine a number of preset steps by which the number of actual flows exceeds 

3 the preset threshold; 

4 multiply the number of preset steps by a preset skip-count modifier; and 
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5 change the skip count to a different skip count equal to the product of the preset 

6 number of steps and the preset skip-count modifier. 
1 

1 27. The article of manufacture of claim 23, wherein the sequences of 



2 instructions that, when executed, cause the electronic system to determine whether the 

3 state table includes the matching flow entry comprise sequences of instructions that, 

4 when executed, cause the electronic system to: 



5 perform a hashing function based, at least in part, on values in the packet; 

6 determine whether a flow entry matches a result of the hashing function; 

7 determine, if the flow entry matches the result, whether the packet values hashed 

8 to generate the result match values used to generate the flow entry; and 

9 determine, if the packet values match the values used to generate the flow entry, 
10 that the flow entry is the matching flow entry. 

l 

1 28. The article of manufacture of claim 27, wherein the machine-accessible 

2 medium further comprises sequences of instructions that, when executed, cause the 

3 electronic system to: 

4 identify, if the state table fails to include the matching flow entry, a set of one or 

5 more state-transition rules having an indication to create an additional flow entry; 

6 determine whether the packet includes a transition pattern indicated in a state- 

7 transition rule in the set, wherein the transition pattern indicates that the additional flow 

8 entry is to be created; 

9 create the additional flow entry, if the packet includes the transition pattern; and 
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10 discard the packet, if the packet fails to include the transition pattern, 

l 

1 29. The article of manufacture of claim 23, wherein the sequences of 

2 instructions that, when executed, cause the electronic system to determine whether the 

3 state of the flow will transition to the valid destination state comprise sequences of 

4 instructions that, when executed, cause the electronic system to: 



5 perform an AND operation using the current state and combined source states 

6 indicated in a state-transition rule; 

7 determine whether the current state matches a result of the operation; 

8 determine, if the current state matches the result of the operation, that the 

9 combined source states include the current state; 

10 determine, as a result of the combined source states including the current state, 

1 1 whether the packet includes a transition pattern indicated in the state-transition rule; and 

12 determine, if the packet includes the transition pattern, that the state of the flow 



13 will transition from the current state to the valid destination state in the state-transition 

14 rule in the set. 
l 



1 30. A system comprising: 

2 a processor; 

3 a network interface coupled with the processor; and 

4 an article of manufacture comprising a machine-accessible medium including 

5 thereon sequences of instructions that, when executed, cause an electronic system to: 

6 identify a protocol used to transmit a packet; 
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7 identify the flow to which the packet belongs; 

8 determine whether a rules table exists for the protocol; 

9 determine, if the rules table exists, whether a state table includes a matching flow 

10 entry corresponding to the flow; 

1 1 determine, if the state table includes the matching flow entry, whether a state of 

12 the flow will transition from a current state indicated in the matching flow entry to a valid 

13 destination state indicated in a state-transition rule in the rules table; and 

14 discard the packet, if the state of the flow will not transition to the valid 

15 destination state. 
1 

1 31. The system of claim 30, wherein the sequences of instructions that, when 



2 executed, cause the electronic system to determine whether the state table includes the 

3 matching flow entry comprise sequences of instructions that, when executed, cause the 

4 electronic system to: 

5 perform a hashing function based, at least in part, on values in the packet; 

6 determine whether a flow entry matches a result of the hashing function; 

7 determine, if the flow entry matches the result, whether the packet values hashed 

8 to generate the result match values used to generate the flow entry; and 

9 determine, if the packet values match the values used to generate the flow entry, that the 
10 flow entry is the matching flow entry. 

l 
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1 32. The system of claim 30, wherein the machine-accessible medium further 

2 comprises sequences of instructions that, when executed, cause the electronic system to: 

3 identify, if the state table fails to include the matching flow entry, a set of one or 

4 more state-transition rules having an indication to create an additional flow entry; 

5 determine whether the packet includes a transition pattern indicated in a state- 

6 transition rule in the set, wherein the transition pattern indicates that the additional flow 

7 entry is to be created; 

8 create the additional flow entry, if the packet includes the transition pattern; and 

9 discard the packet, if the packet fails to include the transition pattern, 
l 

1 33. The system of claim 30, wherein the sequences of instructions that, when 



2 executed, cause the electronic system to determine whether the state of the flow will 

3 transition to the valid destination state comprise sequences of instructions that, when 

4 executed, cause the electronic system to: 



5 perform an AND operation using the current state and combined source states 

6 indicated in a state-transition rule; 

7 determine whether the current state matches a result of the operation; 

8 determine, if the current state matches the result of the operation, that the 

9 combined source states include the current state; 

10 determine, as a result of the combined source states including the current state, 

1 1 whether the packet includes a transition pattern indicated in the state-transition rule; and 
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12 determine, if the packet includes the transition pattern, that the state of the flow 

13 will transition from the current state to the valid destination state in the state-transition 

14 rule in the set. 



042390.P16538 



Express Mail No. EV325527520US 



